Cybersecurity Law & the Cybercrimes Act

The Cybercrimes Act replaced the outdated and fragmented provisions of the Electronic Communications and Transactions Act 25 of 2002 (ECTA) that dealt with cybercrime. While ECTA contained some provisions addressing unauthorised access and data interference, they were widely regarded as inadequate to address the scale and sophistication of modern cybercrime. The Cybercrimes Act consolidates and expands the criminal law framework, creating new offences, prescribing harsher penalties, and establishing procedural mechanisms for the investigation and prosecution of cyber offences.

The Act applies to any offence committed within the Republic of South Africa, but also has extraterritorial application where a South African citizen commits a cybercrime outside the Republic, or where the offence affects a person, entity, or computer system located within South Africa. This extraterritorial reach is particularly relevant for businesses with cross-border operations and cloud infrastructure hosted outside South Africa's borders.

The Act also establishes structures for the reporting and investigation of cybercrimes. It designates the South African Police Service (SAPS) as the primary investigative authority and establishes a 24/7 point of contact for international cooperation, in line with South Africa's obligations under the Budapest Convention on Cybercrime, which South Africa has signed but not yet ratified.

The Cybercrimes Act creates a range of offences that cover the full spectrum of cybercriminal activity. Understanding these offences is important not only for potential perpetrators, but for businesses that may be victims, that may need to report incidents, or that may face liability for inadequate security measures.

Unauthorised Access to a Computer System (Section 2)

Any person who unlawfully and intentionally accesses, or intercepts data from, a computer system without authority or permission commits an offence. This covers traditional hacking — gaining access to a system by bypassing authentication controls — as well as situations where a person exceeds the scope of their authorised access. An employee who accesses confidential business data stored on a system they are not authorised to use could fall within the scope of this provision.

Unlawful Interception of Data (Section 3)

The unlawful and intentional interception of data, including communications data, within a computer system constitutes an offence. This provision targets activities such as packet sniffing, man-in-the-middle attacks, and the installation of keyloggers or spyware. It applies regardless of whether the intercepted data is encrypted or unencrypted.

Cyber Fraud (Section 8)

Cyber fraud is committed by any person who unlawfully and with intent to defraud makes a misrepresentation by means of data or a computer program, or by interfering with data or a computer program, causing actual or potential prejudice to another person. This provision covers phishing attacks, business email compromise (BEC) schemes, fake websites designed to harvest credentials, and any other form of online fraud. It significantly expands on the common law crime of fraud by addressing the digital mechanisms through which modern fraud is committed.

Cyber Extortion (Section 9)

Any person who unlawfully and intentionally threatens to commit an offence under the Act — including threatening to interfere with, damage, or destroy data or a computer system — in order to compel another person to do something or to refrain from doing something, commits the offence of cyber extortion. This provision is directly relevant to ransomware attacks, where criminals encrypt a victim's data and demand payment for its release. The Act treats both the encryption of data and the demand for ransom as criminal acts.

Malicious Communications (Section 14)

The Act creates an offence of distributing data messages that are inherently harmful, including messages that incite damage to property or violence, or that threaten persons with damage to property or violence. While this provision is primarily aimed at combating online harassment and threats, it has broader implications for businesses that operate social media platforms, messaging services, or any digital platform through which users can communicate.

One of the most significant operational obligations imposed by the Cybercrimes Act is the requirement for electronic communications service providers (ECSPs) and financial institutions to report certain cyber offences to the SAPS. Section 54 of the Act requires these entities to report any offence under the Act that they become aware of within 72 hours of becoming aware that the offence has been committed.

The 72-hour reporting window runs from the time the entity becomes "aware" of the offence — not from the time the offence was committed. "Awareness" in this context means actual knowledge, although courts may in future consider whether wilful blindness — deliberately avoiding acquiring knowledge of an offence — constitutes awareness for purposes of the provision.

The mandatory reporting obligation creates a practical need for businesses to implement incident detection and response capabilities. If a business cannot detect a cyber offence, it cannot comply with the 72-hour reporting requirement. This means that robust intrusion detection systems, security monitoring, and incident response procedures are not merely good security practice — they are prerequisites for legal compliance.

The Cybercrimes Act prescribes significant penalties for the offences it creates. The penalties vary depending on the nature and severity of the offence, and whether the accused is a first-time or repeat offender.

For the core offences under sections 2 to 7 (unauthorised access, interception, interference with data and computer systems), a court may impose a fine, imprisonment for a period not exceeding five years for a first offence, or imprisonment not exceeding ten years for a subsequent offence. For aggravated offences — including cyber fraud and cyber extortion under sections 8 and 9 — the court may impose a fine, imprisonment not exceeding ten years for a first offence, or imprisonment not exceeding fifteen years for a subsequent offence.

For offences involving the distribution of malicious communications under section 14, the court may impose a fine, imprisonment not exceeding three years for a first offence, or imprisonment not exceeding five years for a subsequent offence. Where the offence is committed against a person in a domestic relationship as defined in the Domestic Violence Act 116 of 1998, the penalties may be enhanced.

Crucially, the failure to comply with the mandatory reporting obligation under section 54 is itself a criminal offence. An electronic communications service provider or financial institution that fails to report a cyber offence within the 72-hour window may be convicted and fined up to R50,000. While this fine may appear modest relative to the potential harm caused by a cyber incident, the reputational damage and regulatory scrutiny that follow a failure to report can be far more significant.

The Act places specific obligations on electronic communications service providers (ECSPs) as defined in the Electronic Communications Act 36 of 2005. These obligations recognise the role that ECSPs play as intermediaries in the digital ecosystem and their capacity to detect, prevent, and assist in the investigation of cybercrimes.

Beyond the 72-hour reporting obligation, ECSPs must comply with preservation and disclosure orders issued by courts. A preservation order under section 39 of the Act requires the ECSP to preserve specified data for a period of up to 90 days, which may be extended by a further 90 days. The data must be kept intact and protected from alteration or deletion. This creates a practical need for ECSPs to maintain data retention capabilities and incident response procedures that enable them to preserve data rapidly upon receipt of a court order.

A disclosure order under section 42 compels the ECSP to disclose specified data to an authorised person. The ECSP must comply within the timeframe specified in the order. Non-compliance with a preservation or disclosure order is a criminal offence.

The practical implications for SaaS providers and cloud service operators are significant. If your business provides services that involve the transmission, storage, or processing of data on behalf of others, you may qualify as an ECSP and be subject to these obligations. This should be factored into your service architecture, data retention policies, and the terms of your SaaS agreements.

A cybersecurity incident will frequently trigger obligations under both the Cybercrimes Act and POPIA simultaneously. Understanding the relationship between these two reporting regimes is essential for managing a cyber incident effectively and lawfully.

Under POPIA section 22, where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator and the affected data subjects "as soon as reasonably possible" after the discovery of the compromise. While POPIA does not prescribe a fixed timeframe in the same way the Cybercrimes Act prescribes 72 hours, the Information Regulator has indicated that notification within 72 hours of discovery is expected.

The two regimes are complementary but distinct. The Cybercrimes Act requires reporting to the SAPS and focuses on the criminal offence. POPIA requires notification to the Information Regulator and to affected data subjects, and focuses on the compromise of personal information. A single incident — such as a ransomware attack that results in the exfiltration of personal data — may trigger both obligations simultaneously.

Businesses should develop incident response plans that address both reporting regimes simultaneously. The plan should identify the responsible persons for each notification stream, establish templates for the required notifications, and ensure that the investigative and forensic processes preserve evidence for potential criminal prosecution while complying with POPIA's transparency requirements. For more on structuring data processing agreements that address breach notification obligations, see our dedicated guide.

Compliance with the Cybercrimes Act is not merely about understanding the criminal offences it creates — it requires businesses to implement practical measures that reduce the risk of cyber incidents and ensure compliance with reporting obligations when incidents occur.

When a cybercrime occurs — whether your business is the victim, or you become aware of a cybercrime affecting your systems or users — the following practical steps should be followed.

Step 1: Contain the incident. Take immediate steps to prevent further unauthorised access or data loss. This may include isolating affected systems, revoking compromised credentials, and blocking malicious IP addresses. Critically, do not shut down or reformat affected systems before forensic evidence has been preserved.

Step 2: Preserve evidence. Engage a forensic specialist to create forensic images of affected systems and preserve relevant logs. The chain of custody must be maintained to ensure that the evidence is admissible in criminal proceedings. Document all actions taken from the moment the incident was discovered.

Step 3: Report to the SAPS. File a criminal complaint at your nearest police station. The SAPS has established specialised units for the investigation of cybercrimes. You can also report cybercrimes to the SAPS Cybercrime Unit directly. Provide as much detail as possible, including the nature of the offence, the systems affected, the suspected method of attack, and any evidence that has been preserved.

Step 4: Notify the Information Regulator (if personal data is compromised). If the incident involves the compromise of personal information, notify the Information Regulator and affected data subjects as required by POPIA section 22. The notification must describe the nature of the compromise, the personal information involved, the measures taken to address the breach, and the steps the data subject can take to protect themselves.

Step 5: Engage legal counsel. A cybersecurity incident involves complex legal considerations spanning criminal law, data protection, contract law, and potentially insurance law. Early engagement of experienced legal counsel ensures that the response is managed in a way that protects the business's interests, preserves legal privilege where appropriate, and meets all regulatory obligations.